This currently works as designed. In the proxy case we have the following situation:
If no Server header is set (either because the backend does not set one or
because you have unset it the Server header is set with the default value).
In the non proxy case the Server header is always set to the predefined value.
It cannot be changed.
So I mark this as invalid. Feel free to reopen if you think that this is either
a documentation bug or an enhancement.
BTW: Unsetting the Content-Length header is not really a smart idea as it breaks
HTTP/1.1 connections.
S

It has long been the policy of the httpd developers that Server cannot be
omitted nor lied about using configuration. I don't think that is unreasonable.
There are very very few good reasons to omit the Server header, and if you
really need to, you have the source code. The fact that Server is not required
by the spec certainly doesn't mean that it is required to make it optional. The
header is configurable via ServerTokens, but it can't be omitted.
If you disagree with this policy, you should take it up on the dev@httpd mailing
list. This is not a bug or a design flaw.

Out of context quote. Try the whole paragraph:
" Note: Revealing the specific software version of the server might
allow the server machine to become more vulnerable to attacks
against software that is known to contain security holes. Server
implementors are encouraged to make this field a configurable
option."
The display of specific version information is already configurable.

I didn't notice you reopened this. Thanks for the patches, which may indeed be
useful for people. But as I said, there is no bug here. If you wish to discuss
the policy decision, dev@httpd is the correct place.
(I personally think it is stupid to remove this field, but I wouldn't strongly
object to your patch simply because there are so many silly people who request
it that it continually wastes developer time.)

I don't see where my quote is of out context. Anyway, most people like to
*change* the Server header. This is indeed silly. Removing it starts to make
sense when you have to pay exorbitant high amounts of money for your traffic -
for what reason - and have a high traffic site. In this case saving these 17
Bytes can save you several hundred € a month.

Apache documentation (v2.0-v.2.2) states that the "header unset Server" directive should work:
"The header is modified just after the content handler and output filters are run, allowing outgoing headers to be modified."
This is in contrast to what the documentation *used* to say (v.1.3):
"The Header directives are processed just before the response is sent by its handler. These means that some headers that are added just before the response is sent cannot be unset or overridden. This includes headers such as 'Date' and 'Server'."
This change in the documentation implies that someone intended the "header unset Server" directive to work. Either the directive should be made to work (preferably) OR the documentation should be changed. Otherwise, this is a bug, not a feature or "enhancement request".
I personally consider this important since, according to the HTTP specification, the "Server" field is unnecessary and, given I'm planning to publish a large number of pages less than 2 KB (compressed), it could represent more than 1% of my outgoing traffic.

"Except in early mode, the Header directives are processed just before the response is sent to the network. These means that it is possible to set and/or override most headers, except for those headers added by the header filter."
The document says not "all headers" but "most headers".
I'm not sure what "the header filter" exactly means.
I feel the document is somehow unkind.

Out of principal, server administrators should have 100% control over what comes out of their server as long as it conforms to the spec. What if "App: Notepad" or "App: Nano" was prepended to every text document touched by these applications? It would be absurd. Please reconsider this "feature".

Please do not reopen the bug. WONTFIX is the proper status until the development community decides otherwise on the dev@httpd mailing list. Feel free to provide your input there. (Personally, I've lost count of the different ways I have patched different versions of httpd to remove the server header. :( )

Ok so the "opinions" of not fixing this were from 2006 - surely 10 years later dev's have realised that it makes no sense for this limitation? Or are we still going to work against the few people who are still using this software?

(In reply to Gunter Grodotzki from comment #20)
> Ok so the "opinions" of not fixing this were from 2006 - surely 10 years
> later dev's have realised that it makes no sense for this limitation? Or are
> we still going to work against the few people who are still using this
> software?
See comment #19 if you're motivated to see a change here. Ignoring it and posting more patronizing comments here is unlikely to help.

This is ASF Bugzilla: the Apache Software Foundation bug system. In case
of problems with the functioning of ASF Bugzilla, please contact
bugzilla-admin@apache.org.
Please Note: this e-mail address is only for reporting problems
with ASF Bugzilla. Mail about any other subject will be silently
ignored.